| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM2Hf5kWigW1tqqfO9UAY8DnYbbgof-P0m-uTuhEaTwSeVgLWw@mail.gmail.com> Date: Mon, 7 May 2012 08:17:34 -0700 From: Gage Bystrom <themadichib0d@...il.com> To: Valdis.Kletnieks@...edu, full-disclosure@...ts.grok.org.uk Subject: Re: [OT] New online service to make XSSs easier Anyone visiting a compromised site can get the hash, meaning anyone who is looking for it can find it and lets any random person(assuming stored) visiting to be able to grab all the cookie values. That's not even my personal concern. My concern is why should I trust the owner? Whether you are a black hat, white hat, or myriad of other assorted hats you would be allowing sensitive information to sit on this guy's server. How do we know he isn't silently making a copy of all the data for his own ends? Simply we don't. On Mon, May 7, 2012 at 6:03 AM, <Valdis.Kletnieks@...edu> wrote: > On Mon, 07 May 2012 02:27:33 +0530, karniv0re said: > >> And this is anonymous.. How?? > > Haven't checked, but if you set up the userid/password via Tor, should > be pretty anonymous. > >> http://www.getmycookie.com/view.m3?hash=<insert_hash_here> > > And you get somebody else's hash value, how? > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists